Adobe Coldfusion vulnerabilities

CVE-2025-43566 [MEDIUM] CWE-22 CVE-2025-43566: ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Limitation of a ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. A high-privileged attacker could leverage this vulnerability to bypass security protections and gain unauthorized read access. Exploitat

CVE-2025-30282 [CRITICAL] CWE-287 CVE-2025-30282: ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Authentication ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Authentication vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass authentication mechanisms and execute code. Exploitation of this issue does not req

CVE-2025-24446 [CRITICAL] CWE-20 CVE-2025-24446: ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Input Validatio ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution. Exploitation of this issue does not require user interaction, but admin panel privileges are required, and scope is changed.

CVE-2025-24447 [CRITICAL] CWE-502 CVE-2025-24447: ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrus ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user resulting in a High impact to Confidentiality and Integrity. Exploitation of this issue does not require user interaction.

CVE-2025-30281 [CRITICAL] CWE-284 CVE-2025-30281: ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Access Control ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution. A high-privileged attacker could leverage this vulnerability to access or modify sensitive data without proper authorization. Exploitation of this issue does not require user interaction, a

CVE-2025-30287 [HIGH] CWE-287 CVE-2025-30287: ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Authentication ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Authentication vulnerability that could result in arbitrary code execution in the context of the current user. A low privileged attacker with local access could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requ

CVE-2025-30288 [HIGH] CWE-284 CVE-2025-30288: ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Access Control ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low privileged attacker with local access could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction in that a vi

CVE-2025-30286 [HIGH] CWE-78 CVE-2025-30286: ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Neutralization ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. A high-privileged attacker could leverage this vulnerability to bypass security protections and execute code. Expl

CVE-2025-30289 [HIGH] CWE-78 CVE-2025-30289: ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Neutralization ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. A low privileged attacker with local access could leverage this vulnerability to bypass security protections and e

CVE-2025-30290 [HIGH] CWE-22 CVE-2025-30290: ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Limitation of a ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to a security feature bypass. A high privileged attacker could exploit this vulnerability to bypass security protections and gain unauthorized write and delete access. E

CVE-2025-30284 [HIGH] CWE-502 CVE-2025-30284: ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrus ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires us

CVE-2025-30285 [HIGH] CWE-502 CVE-2025-30285: ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrus ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires us

CVE-2025-30293 [MEDIUM] CWE-20 CVE-2025-30293: ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Input Validatio ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security protections and gain unauthorized write access. Exploitation of this issue does not require user interaction

CVE-2025-30291 [MEDIUM] CWE-200 CVE-2025-30291: ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Information Exposure vul ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Information Exposure vulnerability that could result in a security feature bypass. A low privileged attacker with local access could leverage this vulnerability to gain access to sensitive information which could be used to further compromise the system or bypass security me

CVE-2025-30294 [MEDIUM] CWE-20 CVE-2025-30294: ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Input Validatio ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security protections and gain unauthorized read access. Exploitation of this issue does not require user interaction

CVE-2025-30292 [MEDIUM] CWE-79 CVE-2025-30292: ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a reflected Cross-Site Scri ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.

CVE-2024-53961 [HIGH] CWE-22 CVE-2024-53961: ColdFusion versions 2023.11, 2021.17 and earlier are affected by an Improper Limitation of a Pathnam ColdFusion versions 2023.11, 2021.17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access files or directories that are outside of the restricted directory set by the application. T

CVE-2024-41874 [CRITICAL] CWE-502 CVE-2024-41874: ColdFusion versions 2023.9, 2021.15 and earlier are affected by a Deserialization of Untrusted Data ColdFusion versions 2023.9, 2021.15 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability by providing crafted input to the application, which when deserialized, leads to execution of malicious code.

CVE-2024-45113 [HIGH] CWE-287 CVE-2024-45113: ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Authentication vulnerabi ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit this vulnerability to gain unauthorized access and affect the integrity of the application. Exploitation of this issue does not require user interaction.

CVE-2024-34112 [HIGH] CWE-284 CVE-2024-34112: ColdFusion versions 2023u7, 2021u13 and earlier are affected by an Improper Access Control vulnerabi ColdFusion versions 2023u7, 2021u13 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could exploit this vulnerability to gain unauthorized access to sensitive files or data. Exploitation of this issue does not require user interaction.